SSLyze — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

Fast TLS configuration scanner — checks ciphers, protocols, certificate chain, OCSP stapling, vulnerabilities (Heartbleed, ROBOT, etc.).

Use case: Network SecurityDifficulty: BeginnerHomepage: https://github.com/nabla-c0d3/sslyze

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx

pipx install sslyze

Linux (apt)

sudo apt install sslyze

Docker

docker run --rm nablac0d3/sslyze --regular target.com:443

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Default audit

sslyze target.com

Specific port

sslyze target.com:8443

Mozilla intermediate config check

sslyze target.com --mozilla_config=intermediate

JSON output

sslyze target.com --json_out=report.json

Multiple targets

sslyze target1.com target2.com --regular

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Default scan: ~10-30 sec per host.
  • --regular covers protocols, ciphers, certs, vulnerabilities — comprehensive.
  • --slow_connection for high-latency or rate-limited targets.
  • JSON output is verbose but parses cleanly into compliance reports.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • Doesn’t test all attacks (e.g., DROWN requires special probing). Cross-check with testssl.sh.
  • Some vulnerability checks require specific server cooperation (OCSP). Failures may indicate config issues, not vulnerabilities.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • testssl.sh — bash-based, more checks, slower.
  • nmap –script ssl-* — built into Nmap.
  • SSL Labs server test — comprehensive, web-only.

India context and engagement notes

For Indian PCI-DSS / RBI compliance: SSLyze’s output is auditor-friendly. Pair with testssl.sh for second-opinion. Required reading: PCI-DSS v4.0 mandates TLS 1.2+ — SSLyze’s “Mozilla intermediate” config is roughly equivalent.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Continue learning

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
Continue Learning

Related Academy modules

View all modules
Hacking Tools 2026

Burp Suite Pro 2026 — Five Production Bambdas and Three Custom BChecks (Paste-Ready)

Burp Bambdas (per-request JavaScript) and BChecks (YAML scanner checks) are the highest-leverage features in Burp Pro…

May 8, 2026 · 6 min read
Hacking Tools 2026

Sliver C2 Operator Guide — Implants, Transports, OPSEC, and the Detection Patterns Blue Teams Should Hunt

Sliver is the open-source post-Cobalt-Strike C2 framework — accessible to Indian red teams without licensing barriers,…

May 8, 2026 · 6 min read
Hacking Tools 2026

Caido for Web Pentest — A Modern Alternative to Burp Suite Pro (Hands-On Walkthrough)

Caido is the first credible challenger to Burp Suite Pro — Rust-built, web UI, multi-tester collaboration.…

May 8, 2026 · 6 min read